[PATCH 2/2] driver: fix unsigned long overflow in leave_hypervisor
12 views
Skip to first unread message
antonios...@huawei.com
Apr 28, 2016, 10:13:06 AM4/28/16
to jailho...@googlegroups.com, Antonios Motakis, jan.k...@siemens.com, claudio...@huawei.com, jani.k...@huawei.com, dmitry...@huawei.com
From: Antonios Motakis <antonios...@huawei.com>
When shutting down the hypervisor, in the leave_hypervisor
function, the Linux driver touches every hypervisor page, to
ensure all pages are mapped. However, the current implementation
assumes hv_core_and_percpu_size is aligned to PAGE_SIZE. This may
not be the case, if PAGE_SIZE is different on the hypervisor side.
This can cause an unsigned long overflow, leading to an infinite
loop of touching successive pages starting from hypervisor_mem.
The loop will be broken as soon as Linux tries to touch an invalid
page, leading to a kernel crash.
Signed-off-by: Antonios Motakis <antonios...@huawei.com>
---
driver/main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/driver/main.c b/driver/main.c
index 0ce33a9..ff8e770 100644
--- a/driver/main.c
+++ b/driver/main.c
@@ -352,15 +352,15 @@ error_unlock:
static void leave_hypervisor(void *info)
{
- unsigned long size;
void *page;
int err;
/* Touch each hypervisor page we may need during the switch so that
* the active mm definitely contains all mappings. At least x86 does
* not support taking any faults while switching worlds. */
- for (page = hypervisor_mem, size = hv_core_and_percpu_size; size > 0;
- size -= PAGE_SIZE, page += PAGE_SIZE)
+ for (page = hypervisor_mem;
+ page < hypervisor_mem + hv_core_and_percpu_size;
+ page += PAGE_SIZE)
readl((void __iomem *)page);
/* either returns 0 or the same error code across all CPUs */
--
2.8.0.rc3
When shutting down the hypervisor, in the leave_hypervisor
function, the Linux driver touches every hypervisor page, to
ensure all pages are mapped. However, the current implementation
assumes hv_core_and_percpu_size is aligned to PAGE_SIZE. This may
not be the case, if PAGE_SIZE is different on the hypervisor side.
This can cause an unsigned long overflow, leading to an infinite
loop of touching successive pages starting from hypervisor_mem.
The loop will be broken as soon as Linux tries to touch an invalid
page, leading to a kernel crash.
Signed-off-by: Antonios Motakis <antonios...@huawei.com>
---
driver/main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/driver/main.c b/driver/main.c
index 0ce33a9..ff8e770 100644
--- a/driver/main.c
+++ b/driver/main.c
@@ -352,15 +352,15 @@ error_unlock:
static void leave_hypervisor(void *info)
{
- unsigned long size;
void *page;
int err;
/* Touch each hypervisor page we may need during the switch so that
* the active mm definitely contains all mappings. At least x86 does
* not support taking any faults while switching worlds. */
- for (page = hypervisor_mem, size = hv_core_and_percpu_size; size > 0;
- size -= PAGE_SIZE, page += PAGE_SIZE)
+ for (page = hypervisor_mem;
+ page < hypervisor_mem + hv_core_and_percpu_size;
+ page += PAGE_SIZE)
readl((void __iomem *)page);
/* either returns 0 or the same error code across all CPUs */
--
2.8.0.rc3
Jan Kiszka
Apr 28, 2016, 1:51:26 PM4/28/16
to antonios...@huawei.com, jailho...@googlegroups.com, claudio...@huawei.com, jani.k...@huawei.com, dmitry...@huawei.com
Do they already fix jailhouse disable with my arm64 config?
Jan
--
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux
Antonios Motakis
Apr 29, 2016, 9:31:47 AM4/29/16
to Jan Kiszka, jailho...@googlegroups.com, claudio...@huawei.com, jani.k...@huawei.com, dmitry...@huawei.com
>
> Jan
>
--
Antonios Motakis
Virtualization Engineer
Huawei Technologies Duesseldorf GmbH
European Research Center
Riesstrasse 25, 80992 München
Jan Kiszka
Apr 29, 2016, 12:11:10 PM4/29/16
to Antonios Motakis, jailho...@googlegroups.com, claudio...@huawei.com, jani.k...@huawei.com, dmitry...@huawei.com
Jan Kiszka
May 2, 2016, 3:30:53 AM5/2/16
to Antonios Motakis, jailho...@googlegroups.com, claudio...@huawei.com, jani.k...@huawei.com, dmitry...@huawei.com
Thanks,
Reply all
Reply to author
Forward
0 new messages